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This is a study of the security of the Coherent One-Way (COW) protocol for quantum cryp- 
tography, proposed recently as a simple and fast experimental scheme. In the zero-error regime, 
the eavesdropper Eve can only take advantage of the losses in the transmission. We consider new 
attacks, based on unambiguous state discrimination, which perform better than the basic beam- 
splitting attack, but which can be detected by a careful analysis of the detection statistics. These 
results stress the importance of testing several statistical parameters in order to achieve higher rates 
of secret bits. 



I. INTRODUCTION 

First proposed by Bennett and Brassard in 1984 (BB84 
protocol, [1]), quantum cryptography has attracted a lot 
of attention, as means of realizing a useful task (key dis- 
tribution for secret communication) based on the super- 
position principle of quantum physics. One of the fea- 
tures, that makes quantum cryptography appealing, is 
the possibility of implementing it with present-day tech- 
nology. After several years devoted to more and more 
elaborated realizations of the BB84 protocol [2], people 
gained in confidence, and started devising new proto- 
cols that are tailored for practical implementations. A 
new class of such protocols are distributed phase refer- 
ence schemes [3-5] , where the signals have overall phase- 
relationships to each other which is expected to protect 
against some loss-related attacks, such as the photon- 
number splitting attack, in a similar way as the strong 
phase reference in the original Bennett 1992 (B92) pro- 
tocol [6] does. These new protocols are providing new 
challenges for theorists, as we can no longer identify in- 
dividual signals, and so the usual security proof tech- 
niques do not apply. It is important to understand how 
we prove the security, and the context of the present work 
is to show limitations of secure rates by showing specific 
attacks that can be performed by an eavesdropper. 

In a protocol like BB84, each bit is coded in a qubit: 
Alice prepares a photon in a given state which codes (say) 
for and sends it to Bob; then, she prepares another pho- 
ton in another state which codes (say) for 1, and sends 
it, and so on. In short, each quantum signal codes for 
one bit. For this kind of protocols, powerful security 
proofs have been derived for the case where the quantum 
signal is a single photon [7-9] or a weak coherent pulse 
[10,11]. But one can also code a bit in the relative phase 
between any two successive coherent pulses: in such a 
protocol (called differential phase shift) the first bit is in 
the phase between pulse one and pulse two, the second 
bit in the phase between pulse two and pulse three, and 
so on [3]. Thus, each pulse participates to the coding of 
two bits and is coherent with all the other pulses: there 



is a unique quantum signal, the string of all the pulses, 
which codes for the whole string of bits. 

The search for security bounds for such schemes is an 
important research activity in theoretical quantum cryp- 
tography. In this paper, we study a protocol of the same 
kind called Coherent One-Way (COW) [4,5], which will 
be explained in detail later. We present new attacks on 
this protocol based on unambiguous state discrimination. 
These attacks take advantage of the fact that, on the one 
hand, the coding of COW makes use of empty pulses and, 
on the other hand, coherence is checked only between suc- 
cessive pulses: in particular then, no coherence is checked 
between all that comes before and all that comes after an 
empty pulse. Therefore, if Eve can be sure that a given 
pulse was empty, she can make an attack that breaks no 
observed coherence. The attacks that we have found do 
not introduce any errors in the statistical parameters that 
are usually checked, the quantum bit error rate (QBER) 
and the visibility of an interferometer; but they do intro- 
duce modifications in other statistical parameters, which 
Alice and Bob could check as well. The main message of 
this paper is that the COW protocol should include ad- 
ditional statistical checks. Of course, since we describe 
specific attacks, in this paper we derive only upper hounds 
for security (i.e., more powerful attacks may exist). 

The paper is organized as follows. In Section II we re- 
call the definition of the COW protocol and introduce our 
working assumptions. Section III presents unambiguous 
state discrimination (USD) strategies on three and four 
successive pulses, and the detection rates for the COW 
protocol that Bob would observe if Eve applied those 
strategies. In Section IV, we present our main results: 
an attack that combines three USD strategies and that 
preserves all the observed detection rates in Bob's de- 
tectors. Section V is a conclusion. In the Appendices, 
we provide the security study for a three-state protocol 
that is the analog of the COW protocol if the coherence 
between bits would be broken (Appendix A) and for the 
beam-splitting attack considered as a collective attack 
(Appendix B); we also present the detailed calculations 
for the best attack that we have found (Appendix C) 
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and an attack that becomes possible if Alice and Bob 
would make a too limited statistical analysis (Appendix 
D); finally, we suggest a feasible modification of the COW 
protocol that would improve its security (Appendix E). 



II. THE COW PROTOCOL 

A. The protocol 

The idea of the COW protocol is to have a very simple 
data line in which the raw key is created, protected by 
the observation of quantum interferences in a monitoring 
line. We review here its features, referring to Refs [4,5] 
for a more comprehensive discussion of motivations and 
practical issues. The protocol is schematized in Fig. 1. 
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FIG. 1. Schematic description of the COW protocol. A 
continuous, phase-stabilized coherent laser beam is sent 
through an intensity modulator (IM) that shapes discrete 
pulses, while preserving the coherence. See text for all other 
details. 

Alice produces a train of equally spaced coherent 
pulses. The logical bit is encoded in the sequence 
|0)2fel'^)2fc-i '^^ ^ non-empty pulse at time t2k-i followed 
by an empty one at time t2k', the logical bit 1 in the oppo- 
site sequence \oi) 2k\^) 2k-i- write /i = \a\^ the mean 
photon number in a non-empty pulse. Alice produces 
each bit value with probability with probability 

/, she sends out the decoy sequence \d) — |a)2fel'^)2fc-i' 
which does not encode any bit value. The coherence time 
of Alice's laser is very large, so that the quantum signal 
cannot be divided bitwise, because there is phase coher- 
ence between any two non-empty pulses. In other words, 
there is a single quantum signal, defined by Alice's list, 
e.g. 



.OdOl. 



Oa : aa : Oa : aO 



(1) 



(from now on, the colon represents the bit separation). 
The coherence across different bits is crucial to this 
scheme — a protocol that uses the same coding of bits, 
but in which there is no distributed coherence, is pre- 
sented in Appendix A. 

Alice and Bob are connected by a quantum channel of 
length whose transmission coefficient is t = xg-aatt^/io. 
the parameters aatt, whose units are dB/kni, is called at- 
tenuation coefficient. 



Bob's detection is completely passive. At the entrance 
of Bob's device, an asymmetric coupler sends a fraction 
of the photons into the data line, and the remaining 
fraction \ — ts into the monitoring line. The data line 
consists of a single photon counter Db '■ the logical bits 
and 1 are discriminated by measuring the time of arrival 
(this gives indeed the best unambiguous state discrimi- 
nation between the states |0)|q;) and |a)|0)). The errors 
on the data line give the quantum bit error rate (QBER, 
Q) . The monitoring line contains a stabilized unbalanced 
interferometer and two photon counters Dmi, Dm2- In 
the interferometer, the delayed half of each pulse is re- 
combined by the non-delayed half of the next pulse: if the 
two pulses were non-empty, the interference is arranged 
in such a way that Dm2 should never click. The cases 
where two successive pulses are non empty are (i) the 
decoy sequences, in which case the coherence is within 
the bit separation, and (ii) a logical bit 1 followed by a 
logical bit 0, in which case the coherence is across the bit 
separation. In each of these cases separately {s — d or 
s = 1 — 0) , Alice and Bob can estimate the errors through 
the visibility Vs = where p{D\s) is the 

probability that detector D has fired at a time corre- 
sponding to a s sequence. 

For the estimation of the visibilities and of the count- 
ing statistics, Bob announces (i) in which two-pulse se- 
quence he had a detection in the data line, and (ii) at 
which times he had a detection in Dmi and Dm2- Alice 
tells Bob which items of the data line must be discarded 
because they correspond to decoy sequences; on her side, 
she estimates Vd and Vio and the counting statistics. Fi- 
nally, Q is estimated as usual by Bob revealing some of 
the bits of the data line. 

The amount of information gathered by Eve is esti- 
mated through Q, Vd, Viq, but not only: the monitoring 
of other statistical quantities may provide much better 
estimates. Specifically, it is important to monitor detec- 
tion rates, as we show in this paper. Finer checks could 
involve the monitoring of the frequency of each bit value 
and of many-bit strings, the rate at which any two or all 
three detectors fire, etc. 



B. Detection statistics in the zero-error case 

In this work, we consider only attacks that introduce 
no errors in the state parameters of the coding {Q — 0, 
V = 1), and that can therefore be detected only by look- 
ing at the statistics of the photon counters. Among the 
statistical parameters, we focus on detection rates. We 
suppose that all three Bob's detectors have the same 
quantum efficiency rj and no dark counts. We also work 
in the trusted- device scenario, i.e. the inefficiency of the 
detector is not given to Eve. Under these assumptions, 
the expected detection rates are the following: 

• In detector Db, one can estimate the detections 
due to "bits" and those due to "decoy sequences" 
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(detection rate per two time-slots): 

D%^,i, = {l-f){l-e-^''-^), (2) 
^W. = 2/(l-e-''**«''); (3) 

of course, the total detection rate in this detector 
is 

£'B=^k6it + -Dkdeco,- (4) 

• In detectors Dmi and Dm2, one can estimate two 
different detection rates, (i) The detection rates 
at time t2k correspond to interference between two 
pulses within a bit sequence. The logical bits pro- 
duce random outcomes, while the decoy sequences 
interfere constructively in Dmi (recall V = 1): 

^Ml,2k — ~ f)Drand + fDint , (5) 
^M2,2fc = (1 - f)Drand (6) 



expected fraction t to Bob on a lossless line. Since a 
beam-splitter is strictly equivalent to losses, this attack 
is always possible and is impossible to detect by monitor- 
ing the data of Alice and Bob. Thus, this attack sets an 
obvious upper bound on the achievable secret key rate. 
We analyze it in detail in Appendix B, improving over 
the study of Ref. [5]. Though it is unavoidable, the BS 
attack is not very powerful: it would be a very good point 
for a protocol, if it could be shown that this attack is the 
only possible one in the absence of errors. 

The BS attack is an example of attacks that preserve 
the mode, while possibly changing the statistics of the 
photon numbers; these attacks always belong to the 
class of zero-error attacks. In distributed phase reference 
schemes, each photon belongs to an extended mode that 
encodes the coherence. Specifically, in the case of dif- 
ferential phase shift, the mode is = X^jLi e**^^ a] 

where at creates a photon in the j-th pulse [12]. In the 
case of COW, the extended mode is 



where D^^r^d = 1 - e-^*(i-*«)''/4 and Ant = 
1 _ f,-nt{i-tB)r,^ (jj) Tj^g detection rates at time 
^2fe+i correspond to interference between two pulses 
across the bit separation. Constructive interference 
appears in Dmi in the cases 1 — 0, 1 — d, cZ— and 
d — d, i.e. with probability (1 -|- /)^/4; in the case 
— 1 there is no photon, so no detection, in the 
other cases the outcome is random: 



-'^Ml,2fe+1 
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D. 



rand 



(1 + /)' 



-'^M2,2fe-|-l — 2 



D. 



rand • 



Dint , (7) 

(8) 



Now, since ts has been calibrated by Bob, these six de- 
tection rates depend only on two parameters, namely / 
and X = e~^*''. Bob can verify that the observed de- 
tection rates are consistent in themselves, and with the 
expected values of / and x. 

About other statistical quantities that can be checked 
by Alice and Bob: in the attacks that we consider below, 
the coincidence rates are not really a concern, the bit 
values are equally probable; but the many-bit statistics 
are somehow biased and may reveal the attacks. 



C. Zero-error attacks 

In the ideal situation that we consider (zero-error, i.e. 
Q = 0, V = 1), the eavesdropper can take advantage 
only of the losses in the channel, whose transmission is t. 
Here we characterize the full set of attacks that Eve can 
have performed, if Alice and Bob observe zero errors. 

The simplest attack is beam- splitting (BS) attack. Eve 
simulates the lossy channel by extracting the (1 — frac- 
tion of the signal with a beam-splitter, and sends the 
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N 

E 

k=l 



(9) 



where Sk E {0, l,d} defines the nature of the fc-th two- 
pulse sequence, and the creation operators are a], q = 



''2k-l' ^k.l 



''2k 



Ak-l 



''2k- 



The attacks that preserve the extended mode would 
be the only zero-error attacks if Alice and Bob would 
check all the coherence relations. In the case of COW 
however, Alice and Bob check the coherence only on two 
successive pulses: in particular, no coherence is checked 
between all that comes before and all that comes after an 
empty pulse. Therefore, if Eve can be sure that a given 
pulse was empty, she can make an attack that breaks the 
coherence at the location of that pulse. More generally, 
Eve can try and distinguish a sequence of n pulses that 
begins and ends with an empty pulse: if she succeeds, she 
can then resend photons belonging to this n-slots mode 
(" partial mode" ) . All these attacks must use unambigu- 
ous state discrimination (USD). In this paper we study 
examples of such attacks. 

The list of zero-error attacks is now complete. To see 
it, we note that any photon received from Bob is either 
one of the photons originally sent by Alice (which then 
belongs to the original extended mode), or a new pho- 
ton created by Eve (in which case she must have known 
exactly in which partial mode to send it). In particular, 
the photon-number splitting (PNS) attack [13] is never 
a zero-error attack for the schemes under study [5,14]: 
since any two non-empty pulses are coherent, any at- 
tempt of measuring the number of photons on a finite 
number of pulses breaks some coherence and contributes 
to errors. 
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III. UNAMBIGUOUS STATE DISCRIMINATION 
ON THREE AND FOUR PULSES 



A. Generalities 



The attacks that we study are based on unambiguous 
state discrimination (USD). Suppose the set of possible 
states is known (cryptography is a natural example [15]): 
the unambiguous discrimination of any state in the 
set is possible if and only if this state is linearly inde- 
pendent from all the other states in the set [16]. For the 
present study, we just need to identify one state \ip) in 
the set; therefore, we consider measurements with only 
two outcomes: the unambiguous identification and the 
inconclusive outcome [17]. In this case, the optimal USD 
strategy is as follows: in the subspace formed by the 
states of the set, one selects |^) as the state orthogonal 
to all but lip), and performs the von Neumann measure- 
ment {Pc = \(f>) {(j)] , P± = 1 — Pc} ■ If the state was not 
\tp), the result is certainly _L; so if the result is c, the state 
was certainly Given that the state is \tp), the con- 
clusive result c happens with probability Pc = \{''P\4>)\ ■ 

Specifically, Eve wants to discriminate a given finite 
sequence of pulses from all the other possible ones; the 
chosen sequence must be such that the first pulse and the 
last one are empty. When the result is conclusive, she can 
prepare and forward the same sequence to Bob; when the 
result is inconclusive, we suppose that she blocks every- 
thing (finer strategies are possible, but we neglect them 
[18]). By definition, such an attack leaves Q = and 
V = 1, because Bob receives something only when Eve 
is sure to forward the same sequence as Alice sent, and 
because no observable coherence has been broken thanks 
to the empty pulses [19]. However, Eve introduces losses, 
because the conclusive result is only probabilistic; and, 
according to the state she actually discriminates and for- 
wards, Bob's statistics are also modified. 

Our goal in what follows is to quantify the amount of 

information that Eve obtains and to analyze how Bob's 
statistics are affected, for some examples of USD at- 
tacks on the COW protocol. Specifically, we are going 
to present three USD attacks. These three attacks can 
be alternated with one another without introducing er- 
rors. Eve can also avoid errors by stopping the USD 
attacks after a successful discrimination. However, she 
cannot avoid the risk of errors if she resumes the attack 
again. What she can do, is to attack large blocks, then 
to stop also for a large block, then resume and so on: this 
way, the events in which Eve risks introducing an error 
have almost zero statistical weight (in particular, they 
can be overwhelmed by dark counts and other imperfec- 
tions, which are neglected here). 



B. USDS: Attack on Three Pulses 

The USD3 attack is defined as follows: Eve takes three 

pulses that come from Alice and wants to discriminate 
unambiguously the sequence )OaO) from the other possi- 
ble three-pulses sequences. When the discrimination is 
successful, she forwards some photons (not necessarily a 
coherent state) in the central time-slot; when the result 
is not conclusive, she doesn't forward anything. One can 
see immediately that this attack doesn't introduce any 
errors in the data line, preserves the randomness of the 
bit value, and doesn't make detector Dm2 of Bob's moni- 
toring line click when it shouldn't. The limitation of this 
attack is that Eve never forwards anything when Alice 
had sent two successive non empty pulses; so, if this at- 
tacks is performed systematically, Alice and Bob notice 
that no decoy sequences have been detected, nor do they 
have any data to estimate V. 

1. Discriminating |OaO) 

Eve wants to discriminate the state jOaO) from the 
other possible states, which are the following: 

jOOa), jOaa), [aOO) , JaOa) , JaaO) , \aaa) . (10) 

Note that the sequence ]000) is never sent by Alice. More- 
over, the sequences jOOa) and jaOO) can be sent only if 
the bit separation is between the two empty pulses; given 
that Eve knows the position of the separation, she there- 
fore has only to discriminate between )OaO) and five other 
states. 

For each case, the six possible states are linearly in- 
dependent. As a consequence, there is a state in this 
6-dimcnsional subspace which is orthogonal to the five 
other possible states: this state is (in both cases) 

IV'Oao) = y-^(lOaO) - xlOaa) - x|aaO) + x>aa)) (11) 

where x = (0|ck) = e"'"' = e^'^/^. Eve performs a 
projective measurement which separates JV'Oao) from the 
subspace orthogonal to it. Conditioned on the fact that 
the state )OaO) was sent by Alice, the probability of a con- 
clusive result is ](OaO]V'oao)|^ = (1 - X^f = (1 - 

2. Detection rates in COW for USDS 

Let us compute the detection rates in Bob's detectors 
when Eve performs the USDS attack. Eve forwards some- 
thing to Bob with probability 

Vl:li=(^-^)\l-e-'^f. (12) 

We denote by H(p) = 1 — ((1 — p)'^)e the average de- 
tection probability of the state \£) that Eve forwards, as 
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a function of the single-photon probability detection p. 
In particular, 11 (p) — p if Eve forwards a single photon, 
Tl{p) ~ 1 if she forwards a bright pulse. The detection 
rates on the detector Db are 



D 



D 

(3) 



0. 



(13) 

(14) 



The factor | comes from the fact that we compute the 
detection rate per bit, i.e. for two time slots, while the at- 
tack was performed on three pulses. The detection rates 
on the monitoring line are just random clicks, since two 
successive pulses are never sent, and so we find 



D 



(3) 

Ml,2k 



D 



(3) 

M2,2fe 



D 



(3) 

Ml,2fe+1 



D 



(3) 

M2,2fe+1 



= ^P°oLn((i-iB)|) 



(15) 



where the factor j in the transmission probability comes 

from the fact that each photon has the " choice" between 
two paths in the interferometer, and the "choice" between 
two detectors. 



C. USD4a: A First Attack on Four Pulses 

The USD4a attack is defined as follows: Eve takes four 
pulses coming from Alice that correspond to two bits, and 
she wants to discriminate the sequence |0a : aO) from the 
other possible sequences. As before, when Eve success- 
fully could discriminate this sequence, she forwards pho- 
tons in the two middle time slots, making sure they will 
interfere correctly in Bob's monitoring line, while when 
she couldn't discriminate this sequence she doesn't for- 
ward anything. 

Again, this attack doesn't introduce any bit error, and 
doesn't make the detector Dm2 click when it shouldn't. 
Contrary to USDS, V can be estimated, but only from 
1 — bit sequences: no decoy sequences are ever for- 
warded. 



Eve performs a projective measurement which separates 
|V'Oa:ao) from the subspace orthogonal to it. Conditioned 
on the fact that the state \0a : aO) was sent by Alice, the 
probability of a conclusive result is |(0q: : Q:0|'!/'oa:Q:o) |^ = 
(1— X^)^. This is the same probability as obtained before, 
in the discrimination of three-pulse state |OaO). 



2. Detection rates in COW for USD^a 

Let us compute the detection rates in Bob's detectors 
when Eve performs the USD4a attack. Eve forwards 
something to Bob with probability p^conS which, as we 
just stressed, is given by (12). The detection rates on the 
detector Db are 



r)(4a) _ l„Oa:apTTC. X 



D 



(4a) 



= 0. 



(18) 
(19) 



The factor ^ comes from the fact that we compute the 

detection rate per bit. i.e. for two time slots, while the 
attack was performed on 4 pulses. We have also assumed 
that Bob's detectors have no dead time [20]. 

The detection rates on the monitoring lines behave dif- 
ferently, according to the time. The detections at times 
t2k are just random, since there are no decoy sequences 
and consequently no interference between pulses within 
a bit sequence: 



D 



(4a) 

Ml,2fe 



D 



(4a) 
M2,2fe 



1 



I concl 



(l-is) 



(20) 



2 ^ concL \ ±j y ^ 

On the contrary, when Eve forwards something, there is 
always a coherence across the bit separation; therefore 
the detections at times t2k+i exhibit full interference ef- 
fects: 

ffi2fc+i = ^«n((i-iB)|) (21) 

.(4a) 



D 



-^M2,2fc-|-l ~ " • 



(22) 



D. USD4b: A Second Attack on Four Pulses 



1. Discriminating \0a : aO) 

Eve wants to discriminate the sequence \0a : aO) from 
the other possible following states that Alice could send: 

\0a : Oa), \0a : aa), \aO : Oa), \aO : aO), , . 

\aO : aa),\aa : Oa),\aa : aO),\aa : aa). ^ ' 

In the subspace defined by the nine possible states, the 
state which is orthogonal to the eight states listed in (16) 
is 

\i^Oa:ao) = T^{\Oa : aO) - x\Oa : aa) 

—X\cea : aO) + x^lcfct '■ C(C()) ■ 



The two attacks USDS and USD4a share the same fea- 
ture, namely, that no decoy sequences ever reach Bob. In 
order to pass as much unnoticed as possible. Eve could 
be obliged to alternate those attacks with another one, 
in which decoy sequences are sent. We consider the sim- 
plest one, in which Eve wants to discriminate |0 : aa : 0) 
from the other possible sequences. Again, the colon rep- 
resents the bit separation: contrary to USD4a, now the 
four pulses are across three bit sequences. 

One realizes immediately that this is a curious attack: 
if performed systematically. Eve would forward only de- 
coy sequences, so no raw key would be created! As we 
said, it is interesting to consider it only as a part of a 
more complex attack, in which Eve would alternate it 
with the attacks we have already presented. 
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1. Discriminating |0 : aa : 0) 

One might expect that the probabihty of conclusive re- 
sult is the same as before. But this is not the case: there 
are now more possible sequences, across the 3 bits, that 
Alice could send. Specifically, Eve wants to discriminate 
the sequence |0 : aa : 0) from the following eleven states: 



|0 : Oa : 0),|0 : aO : 0), 
|0 : Oa : a), |0 : aO : a), |0 : aa : a), 
|a : Oa : 0), |a : aO : 0), \a : aa : 0), 
|a : Oa : a), |a : aO : a), \a : aa : a). 

The state orthogonal to these eleven states is 

(1 + x^)<^(aa) - X [HOa) + <^(aO)] 



(23) 



\'>l'0:aa:o) 



0" 



where we have written 

|0X0) - x\OXa) - x\aXO) + x^\aXa) 



i-x' 



(24) 



(25) 



Conditioned on the fact that the state |0 : aa : 0) was 
sent by Alice, the probability of a conclusive result is 

1(0 : aa : O|'!/'0:aa:o)|^ = -^^^T-- Note that this is much 
smaller than the value (1 — x^)^ obtained in the previous 
examples: specifically, for /i <C 1. it goes as ^/i^ (three 
photons) instead of /z^ (two photons). 



2. Detection rates in COW for USD^h 



Eve forwards something to Bob with probability 



0:aa:0 
Pconcl 



f 



1-/V (l-e-") 



2 J l + e-^' 
The detection rates on the detector Db are 

^B, decoy " 3 ^concJ i*B'7) 



(26) 
(27) 

(28) 



with the same factor i as discussed for the USD4a at- 
tack. Detections in the monitoring line behave just the 
opposite way as they did for the USD4a attack: 



D 



(4fe) 
M2,2fe 



0; 



(29) 
(30) 



-^Ml,2fe+1 ~ ^M2,2k+1 



ipOri°n((i-ts)|) . (31) 



In summary, there is an obvious symmetry between the 
USD4a and USD4b attacks. However, the fact that 
Pconcf < Pconci introduces an important difference. In 
fact, the need for sending some decoy sequences is very 



costly for Eve: she has to perform sometimes a very in- 
efficient attack, which moreover gives her no information 
on the key (she knows that the decoy sequence was pre- 
ceded by a bit 1 and followed by a bit 0, but she does 
not send anything to Bob apart from the decoy sequence 
itself, so these two bits cannot be detected). 



IV. COMBINING THE THREE USD ATTACKS 



In the previous Section, we have described an at- 
tack where Eve forwards "bits" (USD3), an attack 
where she forwards "coherence across the bit separa- 
tion" (USD4a) , and an attack which forwards " decoy se- 
quences" (USD4b) . These are zero-error attacks as far as 
the state parameters are concerned (Q = 0, V = 1), but 
each one taken separately introduces deviations from the 
expected detection rates. Here we show that, provided 
/ ^ 0.236, Eve can alternate among the three attacks in 
order to simulate all the expected detection rates. 



A. Definition of the attack 



The attack that we consider (with no claim of optimal- 
ity) is constructed as follows. Eve performs USD3 with 
probability qi, USD4a with probability ^2, and USD4b 
with probability (73. With probability qo, she just for- 
wards the pulses through a lossless channel {t = 1). Re- 
call that Eve can alternate as she likes among the USD 
attacks, but she must not stop and resume them too often 
(see end of paragraph HI A). 

We suppose that this is all she does, so that 



90 + 91 + 92 + 93 = 1 • 



(32) 



We want all detection rates to be the expected ones: 

the six rates D = Dbmi, Db, decoy, £>Mi,2fe, -DM2,2fe, 
DMi,2k+i or DM2,2k+i must be such that 



(33) 



We make two further assumptions, namely (i) that Eve 

forwards always a single photon when she has got a con- 
clusive result [21], in particular then H(p) = p; and (ii) 
that we can work in the limit /i?/ <C 1, so that we can 
linearize all the detection rates D*. In this case, an ana- 
lytical solution can be found (Appendix C), that reads 



90 = 



9j = 



fxtF-1 
HF-I 
M(l - t)Fj 
nF-1 



(j = 1,2,3) 



(34) 

(35) 



where 
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Fi = 



Fo = 



3(1 - 4/ 3(1 - 4/ 



(1 



,OaO 
concl 



" concl 



1 + / 
1-/ 



(1-/)^ 

2 



(1 - e-t") 



1 



F3 



4/ 



16 



(1-e 

1 + e-^ 



„0:aa:0 
^concl 



F = Fi + F2 + F3 = 



(l_/)2 (i_e-A^)3' 

1 32-Jc-(l 



(1-/)^ (1 



2> (36) 
(37) 
(38) 
(39) 



with J" = 9 + 4/ - /2. Note that, while F2 and F3 are al- 
ways strictly positive, for Fi to be non-negative one must 
have / < a/5 — 2 « 0.236: this means that Eve cannot 
reproduce the detection rates with this attack if a large 
fraction of decoy sequences is used. 



This gives the expected results, namely that Alice and 
Bob have secrecy if and only if the bit was not attacked 
by Eve: 



B,bit 



P^tFjti) - 1 
/.f (m) - 1 



MtBr,(l-/). (44) 



B. Upper Bound on the Secret Key Rate 

We can now compute the secret key rate that can be 
extracted by Alice and Bob in the presence of the attack 
just described. We consider the case of one-way classical 
post-processing, and use the Csiszar-Korner formula [22] 

R = [^(^ ■■ R) - ™n {I{A : E), I{B : E))] (40) 

where H is Shannon entropy, I{X : Y) is mutual infor- 
mation, and by definition of our attacks we have 



B,bU 



B,bU 



(41) 



The use of the Csiszar-Korner formula can be justified 
by an argument analog to the one used in Ref. [23]: the 
USD attack immediately gives a decomposition of the 
data into those on which Eve has full information (i.e. 
those on which the USD attack has been applied and has 
given conclusive result) and those on which Eve has no 
information at all (i.e. those that have been sent over the 
ideal channel). In this case, the Csiszar-Korner formula 
gives a tight bound if Alice and Bob were sure that Eve 
is performing exactly that attack; since this is not proved 
(there might be better attacks compatible with the ob- 
served statistics), the value of R that we compute is an 
upper bound on the secret key rate that can be extracted 
with one-way post-processing. 

Now, on the one hand, since there are no errors in 
the state, whenever Bob detects something in Db (other 
than a decoy sequence) he learns correctly Alice's bit: 



I{A:B) = 1. 



(42) 



This implies I {A : E) = I{B : E). On the other hand, 

Eve has full information on the bits that she attacked 
and forwarded and were detected va. Db, and she has no 
information in all the other cases: 



I{A:E) 



(43) 



As usual, Alice and Bob choose the value of /i that max- 
imizes R. Another meaningful parameter is f^max, the 
critical value such that R = (that is, go = 0: Eve 
can perform her attack on all the bits). The calculation 
of Hopt, Rip-opt) and Umax has been done numerically; 
the results arc shown in Fig. 2. These parameters can 
also be estimated analytically in the limit /i <§; 1, using 



F{^,) . 

yields 



32 



Cl- 



aud therefore m t 



{i-fY „2. 



32 



M ; it 



l^opt 
l-^max 



AV6 



3(1-/) 
8^6 



9 
x/3 



tBTlt^'^: 



(45) 

(46) 
(47) 



For long distances, these analytical estimation are in close 
agreement with the numerical optimization. 



In Fig. 2, our attack is compared to the Holevo bound 
on the beam-splitting (BS) attack computed in Appendix 
B. As we can see in the lower graph, the BS attack is 
more powerful than ours for (, ^ 100km; by referring to 
the upper graph, we note a discontinuity in jiopt- This 
is due to the fact that we have not considered a mixture 
between our attack and the BS attack; if we had consid- 
ered it, the transition between the two would have been 
smooth. 



7 




20 40 60 80 100 120 140 160 

Distance (km) 




10-' I . . . . . . . 1 

20 40 60 80 100 120 140 160 

Dislance (km) 



FIG. 2. USD attack that reproduces the detection rates: 
optimal mean photon number fiopt (upper graph) and corre- 
sponding secret key rate R (lower graph) as a function of the 
Alice-Bob distance £. The attack is compared to the Holevo 
bound on the beam-splitting attack. Parameters: rj = 0.1, 
aatt = 0.25 dB/km, / = 0.1, tg =i 1. 

C. Comments on the result 

We have described a specific attack, which introduces 
no errors in the state parameters, and which reproduces 
all the expected detection rates as well. Let's comment 
on the results. 

To the attack, as we have studied it, many limitations 
can be found. First, this attack is not a real concern as 
of today: in fact, it outperforms the BS attack only for 
£ ^ 100km (Fig. 2), which is anyway the typical limit- 
ing distance when dark counts are taken into account [5] . 
Second, the attack is not entirely undetectable with the 
actual setup: even though all the detection rates are re- 
produced, one could check other statistical parameters, 
which would behave in an unexpected way. For instance, 
since decoy sequences are always forwarded in the form 
|0 : aa : 0), Alice and Bob can realize that the two pulses 
before a decoy sequence that they detect always encodes 
a logical bit 1, and the two pulses after the decoy se- 
quence always encodes a logical bit 0. Finally, as seen in 



Sec. IV A, Alice and Bob could simply choose / > 0.236, 
and the attack that we studied becomes impossible. 

A further interesting point is that the power of the at- 
tack can be further reduced by a hardware modification, 
which keeps the simplicity of the experimental realiza- 
tion: it simply amounts at adding empty decoy sequences. 
The idea is that, by adding a new kind of signal, the con- 
clusive probability of USD become smaller, because Eve 
has to distinguish the desired state among a larger set. 
The analysis is done in Appendix E; the intuition is con- 
firmed: by adding empty decoy sequences, we obtain a 
decrease R{nopt) oc t'^l'^ [Eq. (E14)] at long distances, 
which is slower than R{^iopt) c>c t^/^ given in Eq. (46). 
Note that other hardware modifications would help as 
well, in particular adding interferometers that monitor 
coherence across more than one pulse; but these would 
make the experiment more complicated [24]. 

All these arguments can be made as an objection to the 
importance of our attack. However, that precise attack is 
only an example: there is no claim of optimality. There 
is some room for improvement even on USD strategies 
with three and four pulses [18], and we have not studied 
USD attacks on more than four pulses. Another concern 
is that we don't have any estimate of the robustness of 
our result when the precision of the statistical estimates 
of Alice and Bob decreases. Here, we have worked with- 
out dark counts and in the limit of an infinite sequence: 
the presence of dark counts and the finite-size effects, 
obviously present in any real experiment, may blur the 
statistics. Eve's attack may become much more serious 
if she is asked to guarantee only an approximation of 
the expected detection rates, or to reconstruct only a 
smaller set of statistical quantities. A simple example of 
what can happen if Alice and Bob do not make a careful 
enough statistical estimate is given in Appendix D. 



V. CONCLUSION 

In conclusion, we have studied the security of the COW 
protocol in the regime of zero error in the state parame- 
ters {Q = 0, V = 1). In this regime, Eve can take advan- 
tage only of the losses; while the beam-splitting attack is 
always possible, because it preserves the collective mode 
in which all photons have been encoded, we addressed 
the existence of more powerful attacks. 

We have indeed found examples of other zero-error at- 
tacks, which however introduce some modifications in the 
statistics observed by Bob. We have presented an at- 
tack that preserves all the detection rates and can be 
detected only by looking at correlations between two or 
more bits. This attack becomes relevant only for large 
distances {£ > 100 km for typical values). 

These results show that, both in the experiment and in 
the theoretical search of lower bounds for security, higher 
secret key rates can be achieved if the COW protocol in- 
cludes several tests of Bob's statistics. We conjecture 
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that the bcam-sphtting attack is the only possible one in 
the zero-error limit provided Alice and Bob analyze all 
statistics of their data. 
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APPENDIX A: THREE-STATE PROTOCOL 

Here wc describe a three-state protocol, that was in- 
spired by the study of the COW protocol. If the coher- 
ence across the bit separations in COW would be bro- 
ken, the protocol could be seen as a implementation with 
weak coherent pulses of a standard three-state protocol 
for qubits. The qubits states thus obtained are 

\ + z) ^ |0) 

1-^) = |1) (Al) 
\+x) ^ ^(|0) + |1)). 

Each state of the Z basis is sent with probability (1 — 
/)/2; it codes a bit value, and the errors in these mea- 
surements give the quantum bit error rate (QBER) Q. 
The third state, belonging to the X basis, is sent with 
probability /; it allows to estimate a visibility V. 

In this appendix we give a quick overview of security 
studies for this protocol, relying mainly on Rcf. [9], to 
which we refer for the justification of the methods. An in- 
dependent study of this three-state protocol has been re- 
alized recently by Fung and Lo with different techniques 
[25]. 



1. Single photon case 

a. Quick review of the approach 

In Ref. [9], a lower bound on the secret-key rate for a 
general class of quantum key distribution protocols using 
one-way classical post-processing has been derived. Re- 
markably, the bound can be computed considering only 
two-qubit density operators aAB [26]: 

r > inf S{A\E) - H{A\B) 

= inf l-S{aAB) (A2) 

where S is the Von Neumann entropy, H is the Shan- 
non entropy, and the second line is obtained when Eve 
holds a purification of aAB which is a usual assumption 



in quantum cryptography. The set Tgy is the set of two- 
qubit Bell-diagonal density operators which are compat- 
ible with the measured QBER Q and visibility V. Our 
goal is to characterize this set, and then to perform the 
minimization in Eq. (A2). This is done by using the 
entanglement-based description of the three-state proto- 
col, and considering the most general attack that Eve can 
perform on a qubit that goes from Alice to Bob. 

b. Qubit pairs shared by Alice and Bob 

Let us first consider the equivalent entanglement-based 
version of the three-state protocol: Alice prepares the 
state 

\^AB) = ^/T^\^+)AB + ^/f\D)A\+^)B (A3) 

where we used the standard notation |$^) = :^(|00) + 
1 11)), and where is a state orthogonal to ]0)^ and 
(AHce's system is therefore 3-dimensional); she keeps 
the first system and sends the second one to Bob. 

On her system, Alice performs a projective measure- 
ment in order to prepare Bob's state. When Alice gets 
the result |0)^ (which she does with probability ^-^), 
she prepares the state |0)^ for Bob; when she gets 
(with probability ^-^), she prepares the state |l)g for 
Bob; finally, when she gets (with probability /), 

she prepares a decoy sequence | 4- x)g for Bob. 

The system B that goes from Alice to Bob through 
the quantum channel can be attacked by Eve. Let us 
describe her action by a super operator £ = {Ej}. The 
state shared by Alice and Bob after the transmission of 
system B is then 

PAB =f(|^'AB)(*AB|) 

= Y,U^Ej\^AB){'ifAB\U®E}. (A4) 
j 

After the public communication, Alice and Bob know 

which systems led to bits of the key (when Alice ob- 
tained either |0)^ or and Bob measured in the Z 
basis), and which systems came from decoy sequences 
(when Alice obtained \D)j^ and Bob measured in the X 
basis). They have 2 sets of systems in the states : 

PAB = m{0\ + \l){l\)A PAB (|0)(0| + |1)(1|)^ 

= (1 - /) E 1^ ® E^\^ab){'^ab\^a ® e} (A5) 
j 

pf^"y=\D){DUpAB \D){DU 

= f^lA<»Ej \D,+x)^j,{D,+x\ lA<»Et. (A6) 

i 

We shall write p = pf^j*, = j^p% and = 
7 p'ab'^ ^^"^ corresponding normalized states. Note that 
V2\D){+x\^ (g) 1b I'^ab) = \E>)a\ +^)b and therefore 
= 2\D){+x\ ® 1 I + x){D\ ® 1. 



9 



c. Characterizing the set Vq^v 
The set Tq.v contains any state of the form 

GAB = AiP<j,+ + A2F<E,- + A3Pvt+ + \iP^,- (A7) 

where we use the notation P,^ = |$) ($| for any state |$), 
where the 1$*), |^*) are the Bell states, and where 



Ai = ($+1 p |$+), A2 = ($-| p |$- 
A3 = (*+| p |*+), A4 = (*-| p I*- 



(A8) 



The first constraint is the definition of the QBER, the 
same for aU protocols, namely 



A3 + A4. 



(A9) 



The constraint that defines V is typical of this protocol. 
To derive it, we use the fact that the probability for decoy 
sequences to be detected correctly by Bob is • 



1±V 



{D\ ® (±x| \D)®\± 

= 2 {+X, ±x|/9| + X, ±x) . 

Since | + x, +x) = ^(|$+) + then 

i±Z = ((<i>+| + (*+|)p(|cl,+ ) + |vl/+)) 

= Ai+A3 + (($+| /5|*+)+c.c.) . 



(AlO) 



(All) 



The Cauchy-Schwartz inequality implies |(<i>^| p |^^)| < 
y/ AlAl, and therefore |($+| p |*+) + {^+\ p |$+)| < 
2-\/AiA3. We finally obtain the following constraint: 

l + V 



(VAi - VA 



< 



<(VAi + VA3)^ 



Similarly, starting from ^-^^ one obtains 



(VA 



(A12) 



(A13) 



For a state gab to be in the set Tg^y, its coeffi- 
cients As therefore have to satisfy the constraints (A9), 
(A12) and (A13), along with the normalization condition 
Ai + A2 + A3 + A4 = 1. 



d. Lower bound on the secret key rate 

Now we have to compute the bound (A2). One 
can show that, given our constraints, the infimum of 
1 — S{aAB) is obtained when 



Ai + VA 



A9 — V A4 — 



l + V 



1 - V 



(A14) 
(A15) 



These equalities, together with Eq. (A9) and the nor- 
malization condition, allow an analytical expression of 
the lower bound: 



^{Q,V) > l-i?([Ai,A2,A3,A4]) 



(A16) 



with 

Ai 
A2 
A3 
A4 



^QV + ^{1~V^)Q{1^Q) 



Q 
Q 



l^ + QV+ ^{\-V^)Q{l-Q) 



^~QV^^{l~V^)Q{l-Q) 



The results are plotted in Fig. 3. For all values of the pa- 
rameters, the rates we find are equal or better than those 
found by Fung and Lo [25]: in particular, for 1/ = 1 we 
find security up to Q « 11%, while they reach only up to 
Q < 7.57% (see Fig. 2 of Ref. [25], where a = and 
et = Q). 



1-2h(Q) 




FIG. 3. Security study of the three-state protocol in a sin- 
gle-photon implementation. Upper graph: lower bound r as 
a function of Q and V; lower graph: projection of the upper 
graph on the {Q, V) plane, showing the region of parameters 
in which the protocol is provably secure. 
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e. Special cases Q = 0, V = 1 

Let's study the particular cases Q = and V = 1. 
With the previous analysis, we find 



A = 



fie 



-tJ.tr] 



2tr] 



(A20) 



R[Q = 0, y) > 1 - h 



1 - V 



R{Q,V ^l)>l-2h{Q) 



(A17) 
(A18) 



where h is binary entropy. In particular, the second rate 
is the same as the one obtained for the BB84 protocol 
[7]. 

In these limiting cases, we have been able to com- 
pute a lower bound in a different way, namely using 
the Dcvctak- Winter bound for collective attacks [27] and 
then invoking a de Finetti theorem to extend the result 
to all possible attacks [8]. For the case Q = 0, we find 
exactly the same result; for the case V = I however, the 
lower bound calculated in this new way is slightly better. 
This is not a contradiction, as the method of Ref. [9] is 
not claimed to provide tight bounds in all circumstances. 



2. Weak Coherent Pulses 

a. Conservative lower bound 

In our three-state protocol, exactly as it happens for 

BB84, as soon as a pulse contains two photons, Eve can 
obtain full information using the PNS attack. There- 
fore, all the pulses containing more than one photon are 
"tagged" : it is as if they would carry a label which reveals 
the quantum state. Once one has a lower bound r in a 
single-photon implementation, a lower bound for imple- 
mentations with weak coherent pulses can be computed 
using the techniques developed in Ref. [11]. 

Let A bo the fraction of tagged signals: on these. 
Eve has full information thanks to the tag. Eve's best 
strategy consists in introducing no error on the tagged 
pulses, and a larger error Qi = the untagged 

ones, so that the total QBER is still Q. A similar rea- 
soning holds for V: in Eve's best strategy, the tagged 
pulses have V = 1, therefore the single photon pulses 
have Vi = \Z'^ ■ These estimates have a bearing on pri- 
vacy amplification, while error correction must be done 
for the average Q. The achievable secret key rate is fi- 
nally bounded as 



r > 



[(1 - A) S (Qi,Vi) - h{Q)] 



(A19) 



where S{Q, V) = r{Q, V) - h{Q) and r{Q, V) is the 
single-photon lower bound of Eq. (A16). Finally, it is 
easy to compute the optimum value of A. In general, A 
is the probability that Alice sends more than one pho- 
ton, conditioned to the fact that Bob has received some- 
thing. Clearly, the best case for Eve is that Bob always 
receives something when Alice has sent two or more pho- 
tons. Therefore 



Knowing this, one can now multiply r by Bob's detec- 
tion rate to obtain the secret key rate in bits per pair of 
pulses, then optimize /i to maximize this quantity. Note 
that the lower bound (A19) is very conservative because 
it holds only for the untrusted-device scenario — this is 
why the denominator in (A20) contains rj as well; it is 
not known how to prove a rigorous lower bound in the 
trusted-device scenario. (See also [28]). 



h. PNS attack in the zero-error case 



In the main text, we have presented zero-error attacks 
against the COW protocol in the trusted-device scenario. 
For comparison, we compute the PNS attack against 
the three-state protocol implemented with weak coher- 
ent pulses: we recall that in this protocol, contrary to 
COW, there is no coherence across the bit separation. 

If Q = and V = 1, we have I {A : B) = 1. Eve counts 
the number of photons in each two-pulse sequence cor- 
responding to a bit: if she finds n = 1, she can either 
let the photon go or block it, but in any case she can't 
learn anything; if she finds n > 1, she keeps some pho- 
tons and sends the others to Bob, and she has full in- 
formation. For the purpose of this simple analysis, we 
write everything in the case ji^l (the generalization is 
straightforward but complicates the formulae). We have 
then I [A : E) = the difference with (A20) coming 
from the fact that we can compute this upper bound in 
the trusted-device scenario. The rate per bit becomes 

R=(l-^^ fittBil{l- f). (A21) 
This expression is optimal for n^pf = t, therefore 



R{f^opt)^^tBv{l-f)- (A22) 



This scales as t'^, as it happens for BB84 under the same 
conditions [29] . This rate is much smaller than the upper 
bounds obtained in the main text for the COW proto- 
col for the most powerful attacks described in this paper 
(Fig. 2). A better attack may exist against COW; how- 
ever, we conjecture that this difference is intrinsic — in 
physical terms, we conjecture that the existence of co- 
herence across the bit separation is a real advantage and 
increases the extractable secret key rates by a significant 
amount. 
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APPENDIX B: BEAM-SPLITTING ATTACK 
AND DEVETAK- WINTER BOUND 

The beam-splitting attack is the only known attack 
which will simulate exactly all statistics for Alice and 
Bob given a lossy channel, since it is a physical model for 
such a lossy channel. The fraction 1—t of lost photons are 
given to Eve, who has forwarded the remaining fraction t 
to Bob through a lossless channel. The information that 
Eve can extract from her data depends on the way she 
processes them. For each bit she wants to estimate, Eve 
faces the problem of distinguishing the two states lOa') 
and \a'Q), where a' = \/l — ta. 

In Refs [4,5], it was supposed that Eve performed the 
same measurement as Bob: she measures the time of ar- 
rival for each pulse, which corresponds to the best unam- 
biguous state discrimination between the two states |0a') 
and |a'0). With probability 1 — (Oa'ja'O), the result is 
conclusive and she gets full information on the bit. Her 
average information on each bit is then 



lusD = 1- (Oa'la'O). 



(Bl) 



However, there are other measurements that could give 
Eve more information. For instance, the minimum-error 
measurement [30] would give her the information 



(Oa'ja'O)' 



(B2) 



which is larger than Iusd {h is the binary entropy func- 
tion). 

The USD and ME measurements are bitwise measure- 
ments, and define the so-called individual (or incoherent) 
attacks. More generally. Eve can be allowed to make a 
collective attack from beam-splitting: each signal is split 
with the same fraction, as above, but then Eve is al- 
lowed to wait until the end of classical post-processing 
(error correction, privacy amplification) before perform- 
ing a (possibly coherent) measurement on the quantum 
systems she has kept. What Eve does maybe hard to 
find (actually, to our knowledge, this is not known for 
any protocol); but a computable bound for the secret 
key rate that can be extracted in the presence of collec- 
tive attacks has ncvcirthclc^ss be found by Dcvetak and 
Winter [27]. The upper bound on the accessible infor- 
mation that Eve can learn, whatever the measurement 
she performs, is given by the Holevo bound [31]. For the 
problem of distinguishing the two states |0a') and |a'0), 
the Holevo bound is [32] 



XHoI 



1 - (On'la'O) 



(B3) 



The Devetak- Winter bound for the secret key rate reads 

then 



i? >(!-/) (l-e-'^"-") [l-XHoi] 



> {l-f)flttBV 



-M(l-t)- 



(B4) 
(B5) 



the second expression being for the case iittBTj <^ 1. 

As usual, Alice and Bob should choose /x in order to 
optimize R. Let's define g{x) = a;[l — h{^—^ — )]. Nu- 
merically, we find su'p^g{x) = g(£,) w 0.1428, obtained 
for ^ « 0.4583. Therefore, the optimal value of fj, in the 
case of a collective beam-splitting attack is 



t 



(B6) 



and the corresponding lower bound on the extractable 
secret key rate is 



t 



(B7) 



This is what we plotted in Figs 2 and 4 in comparison to 
our attacks. 



APPENDIX C: ON THE ATTACK THAT 
REPRODUCES THE DETECTION RATES 

We give here the calculation of {qo,qi,Q2,Q3) that de- 
fine the attack that reproduces the detection rates stud- 
ied in Section IV, and comment on some of its features. 
We recall that we work in the limit j^trj <C 1 and that we 
suppose that Eve sends one photon to Bob when she has 
got a conclusive result. 



Calculation of the parameters (90,91,92,93) of the 
attack 



For DsMt and Ds^decoy, the requirement (33) leads 
respectively to the following two conditions: 



„ \ 3 J^concl 

Qo) = 



1 /Y„ „Oa:aO 

2 yconcl 



1-/ 



/"(* - Qo) = 



^3 Pconcl 



4/ 



(CI) 
(C2) 



Given these two conditions, the requirement (33) is au- 
tomatically satisfied for DMj,2k for both j = 1,2. This 
is not astonishing, as these detection rates depend on 
/ in the same way as those of Db do. Finally, for the 
DMj,2k+i , the requirement (33) gives two new conditions: 



fJ'it - qo) = 
- Qo) = 



4 njOaO 
3 ^1 ^conei 



-292P; 



concl ' ^ concl 



4 ^ „OaO 
3 ^1 yconcl 



(l + /)(3 + /) 



l_/2 



It can be checked that one of these conditions is redun- 
dant, as it follows exactly from assuming the other one 
together with (CI) and (C2); as a third condition, we 
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take then a simple linear combination of the last two 
ones, which reads 



APPENDIX D: THE CONSEQUENCE OF POOR 
STATISTICAL ANALYSIS: AN EXAMPLE 



^ ^Oa:aO 
g2 Pconcl 



(C3) 



In summary, we have four linear conditions [(CI), (C2), 

(C3) and the normalization (32)] for the four coefficients 
qj-. the system can be solved exactly as a function of /z, 
t and /. 

The solution — whose result is given in the main text, 
Eqs (34)-(38) — goes as follows. For j = 1,2,3, we 
have qj = iJ,{t — qo)Fj where F2 can be read directly in 
Eq. (C3), F3 in Eq. (C2), and F, = 3(1 -4/- /2)/4p|?„"0^j 
can be derived from those and from Eq. (CI). The nor- 
malization condition (32) gives then g'o = ^/^p-i with 
F = Fi + F2 + F^. 

We must still verify that qo is a probability. Since 
t < 1, the condition go < 1 is satisfied provided ^F > 1, 
which is true for all values of /i and / (in fact, it can 
be verified that the minimal value of fiF, obtained for 
/i ~ 2, is of the order 100, slightly dependent on /). 
Given iiF > 1, the condition (?o > is satisfied provided 
(itF > 1. To fulfill this condition, one must know how /j, 
varies with t. Let's consider first Hopt as defined in (45): 
then iitF = 3(1 — t), therefore the condition is satisfied 
for i < I or (with the parameters used for the graphs) 
£ > 7km — in practice, recall that (45) is valid for ^ ^ 1 
that is for t <c 1; so the result is consistent. If we take 
now Umax = V^fJ'opi , wc find ^tF = 1 — t: the condition 
can never be satisfied. This is not really a problem: it 
simply means that Eve must add some losses, i.e. that 
we must add to her strategy the possibility of blocking 
pulses. 



Let us suppose that Alice and Bob verify Q = 0,V = 1 

(without distinguishing decoy sequences from 1 — bit 
sequences) and just the average detection rate D^. In 
particular, they don't check that the fraction of decoy 
sequences is the expected one: Eve can set q^ = 0. As 
simple examples of the attacks that become possible. Eve 
can always attack with USD3 (52 = 0) or with USD4a 
{qi = 0). 

USDS attack. If 52 = 93 = and only the detection 
rate in Db is monitored, the set of requirements (33) re- 
duce to the sole condition q\D^^^ + (1 ~ 1'i)F>^B^ = 
i.e. 



91 



r)f=l 



D 



(3) 



(Dl) 



The secret key rate that can be extracted against such 
an attack is 



R={1 



nt _ n(3) \ 

^ (3) Pb%- (D2) 



2. Behavior of qi,q2,q3 



In general, it holds F3 > F2 > Fi, that is, qa > q2 > qi, 
for all values of / and /x. The fact that 53 does not van- 
ish (and remains even larger than qi and ^2) if ./ = 
is an artefact of the solution of the system. In fact, the 
requirement on DB,decoy reads originally 4/ /x(t — q^) — 
qsPcoTci^- if / > 0'' it gives (C2) as we stated it; but if 
/ — 0, the requirement is automatically satisfied and no 
constraint is put on q^ (the best choice for Eve would 
then be qs = 0). In any case, COW without decoy se- 
quences would be much more vulnerable against Eve's 
attacks [4,5], so the case / = is not of real interest. A 
more meaningful question is, what happens in the limit 
/ ^ for real implementations (blurred statistics, finite 
key length); but, as already mentioned, we haven't de- 
veloped the mathematical tools yet, which would allow 
to tackle this problem. 



The values of jimax, l-iopt and R{iXopt) can now be com- 
puted as a function of t. Numerical solutions arc plotted 
in Fig. 4, as a function of the distance. We have plotted 
two series of curves for our attack (describing the cases 

where Eve forwards either one photon or bright pulses) 
against the curve associated to the BS attack. Ana- 
lytical solutions can be obtained in the limit jj, << 1: 
fJ-max = Ct, fiopt = Ct/2 and Rijiopt) = ^^isV Ct^ 
with C = [6(1 + ,f)tBri\/[{l - JfW{tBT])]. Note that 
R{l-i-opt) t^, whereas for the attack that preserves 
the detection rates we had the much slower decrease 
R{fiopi)^t-''/'' [Eq. (46)]. 

USD4a attack. The analysis of the case gi = ga = 
follows exactly the same pattern, just replacing D^^^ with 
D^-* — in fact, the only difference is the factor | which 
relates these two quantities, see Eqs (13) and (18). This 
attacks gives slightly better rates than those plotted in 
Fig. 4; in the case /i << 1, the analytical solutions for 
fJ"max, f^opt and R{iJLopt) are the same as before, with now 
C=[8(l + /)iBr?]/[(l-/)2n(tsr/)]. 
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FIG. 4. USDS attack, which becomes possible if Alice and 
Bob check only the average detection rate. We plot the op- 
timal mean photon number fiopt (upper graph) and corre- 
sponding secret key rate R (lower graph) as a function of the 
distance d. Full lines: results for Il{tB'n) = tBi] (Eve forwards 
one photon); dashed lines: results for n(ts77) — 1 (Eve for- 
wards bright pulses). The attack is again compared to the 
Holevo bound on the BS attack (Appendix B). The parame- 
ters are the same as in Fig. 2. 

The message of Fig. 4 is clear: these attacks are sig- 
nificantly more powerful than the one in which Eve is 
asked to reproduce all the detection rates (Fig. 2). In 
particular, the distance £, at which the attacks become 
important, is approximately 50km, well within the actual 
experimental working range. To avoid these attacks, it 
is therefore mandatory that Bob checks carefully his de- 
tection rates. 



APPENDIX E: USD ATTACKS IN THE CASE OF 
"EMPTY DECOY SEQUENCES" 

In this Appendix, we study a modification of the COW 
protocol, which makes it more robust against the attacks 
known to date (in particular, against the attacks studied 
in this paper) , while keeping the simplicity at the exper- 
imental level. The modification consists in introducing 



a new type of decoy sequence, which is just two empty 
pulses. In this modified COW, Alice sends an "empty 
decoy sequence" |00) with probability /q, and a "full de- 
coy sequence" \aa) with probability fi. We will write 
f = fo + fi- With probability , Alice sends a logical 
bit (resp. 1). 

It may be at first sight astonishing, that additional 
vacuum signals may provide an advantage; still, this hap- 
pens also in decoy state protocols [33]. In our case, the 
possibility of new signals (albeit empty ones) makes the 
unambiguous state discrimination that we have studied 
in Section III less efficient, because the set of possible 
states becomes larger. 



1. Attack on 3 pulses 

Eve wants to discriminate the state jOaO) from the 
seven other possible states, which are now: 

|000) , |00a) , \Oaa) , |aOO) , |aOa) , |aaO) , \aaa) . 

(El) 

Note that the previous state IV'Oqo) [Eq. (11)] is not or- 
thogonal to 1 000). Instead, the state orthogonal to the 
seven states listed in (El) is 



IV'Oqo) 



(E2) 



where (j) is given by Eq. (25). As before, Eve performs a 
projective measurement which separates IV'Oao) from the 
subspace orthogonal to it. Conditioned on the fact that 
the state |OaO) was sent by Alice, the probability of a con- 



clusive result is |(OaO|V'OQo)| — (1 
This is smaller than the value (1 - 
absence of empty decoy sequences. 



X 



2\3 



(1 



"^)^ found in the 



2. Attack on 4 pulses 

Eve wants to discriminate the state jOaaO) from the 
fifteen other possible states, which are now: 



10000), lOOOa), lOOaO), |00aa), |OaOO), 
|OaOa), |Oaaa), |aOOO), |aOOa), |aOaO), 
\aOaa), jaaOO), \ aaOa), \ aaaO), \ aaaa). 



(E3) 



Note that the analysis is the same for attacks USD4a and 
USD4b here, since all the sequences are possible. 
The state orthogonal to these fifteen states is 



\lpOaao) 



(aa) -— X(/)(Oa) — x0(aO) 4- x^'t'i'^'^) 



(E4) 



Conditioned on the fact that the state jOaaO) was 
sent by Alice, the probability of a conclusive result is 
KOaaOji/'oaQo)!^ = (1 ^ X^)*- Again, the probabihty of 
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(1— ) 

success is smaller than the probability of success ^ ^_^^2 
for the USD4b attack, and much smaller than the one 
(1 — X^)^ for the USD4a attack in the absence of empty 
decoy sequences. 



3. Attack that preserves the detection rates 

The study follows exactly the same lines as for the at- 
tack studied in Section IV and Appendix C. As we did 
there, we suppose that Eve performs one of the three 
USD attacks with probabilities qj , or forwards the pulses 
through a lossless channel with probability qo . The prob- 
abilities for each USD attack to be conclusive are the 
following : 



OqO 
fconcl 



Oa:aO 
Pconcl 



l-ffl-I 



2 

1-/ 



+ /o (1 - e-^^f , 



2 



0:aa:0 
r'concl 



= h 



(E5) 
(E6) 
(E7) 



Under the assumption that Eve forwards one photon 
when her attack is conclusive, and in the regime where 
/ijy <C 1, one finds qj — ^i{t — qo)Fj for j = 1,2,3, and 
qo = ^^F^l , with now: 



Note that now, Hopt oc t^^^ and R{fiopt) t^/^: the 
new protocol with empty decoy sequences is more ro- 
bust against our USD attacks. Besides, one gets fimax — 

In general, the optimization of R over /x must be done 
numerically. We show the results in Fig. 5 for the same 
parameters as we used for Fig. 2, but here / ~ 0.1 is 
split into fo — fi — 0.05. We see that, in the presence 
of empty decoy sequences, the USD attack that repro- 
duces all rates overcomes the beam-splitting attack only 
for e > 120km. 









fi^pj for BS (Holevo bound) 

fi^pj for USD on the COW protocol 
without empty decoy sequences 
fi^pj for USD on the COW protocol 
with empty decoy sequences 
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Fi = 



3(1 - 4/i - (/i - hf) 

^concl 

(1 - /o + h? 



„Oa:QO 
^ concl 



F. 



4/i 



^^concl 



F ^F^ 



F. 



(E8) 

(E9) 

(ElO) 
(Ell) 



Apart from the obvious restriction /o + /i < 1, since 
Fi has to be positive there is a restriction on the val- 
ues of /o and /i for this attack to be possible: /i < 

min(l/4,-2 + /o + V5^4^)- 

The upper bound on the extractable secret key rate is 



i?(M) 



QoF'sMt 



qolJ-tsvi^ - /) 



(E12) 



In the limit /it <C 1, the optimization of R can be done 
analytically, using F{p) « ^ with T = ^^^*f\Z^f"^Y + 



and go 



t 



(1-/1+/0) 
Alice and Bob will choose 



In order to optimize R, 
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with empty decoy sequences 
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FIG. 5. USD attack that reproduces the detection rates, on 
the COW protocol, with and without empty decoy sequences, 
compared to the Holevo bound on the BS attack. Same pa- 
rameters as in Fig. 2, and /o = /i = 0.05. 



l^opt 

and obtain the rate 



^1/3^1/3 



RifJ-opt) 



(E13) 



(E14) 
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